minidlna: Addition of patches to fix CVE-2022-26505

- CVE-2022-26505  A DNS rebinding issue in ReadyMedia (formerly MiniDLNA) before 1.3.1
   allows a remote web server to exfiltrate media files. CVE created on 6th March 2022
- minidlna have created the patches to fix CVE-2022-26505 and have created a git tag for
   version 1.3.1 but have not provided any 1.3.1 source tarballs. A ticket was raised on
   14th March 2022 in the source forge support system asking to "Please publish a tarball
   for 1.3.1" but there was no reply from the developer so far.
- In the NIST National Vulnerability Database it refers to a fix implemented in 1.3.1 but
   the link to the sourceforge page is only the patches applied for the fix
- I used those diff descriptions to create a patch to implement on the existing 1.3.0
   version in IPFire and this patch submission applies that fix
- Incremented the lfs PAK_VER

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>

diff --git a/lfs/minidlna b/lfs/minidlna
index 17cf76339521b751d79bd354c03e49c7d5395a7d..0fa7aec969c9e7a5445e2b7fd94d8d4a10aa7db5 100644 (file)
--- a/lfs/minidlna
+++ b/lfs/minidlna
@@ -34,7 +34,7 @@ DL_FROM    = $(URL_IPFIRE)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 PROG       = minidlna
-PAK_VER    = 8
+PAK_VER    = 9
 
 DEPS       = ffmpeg flac libexif libid3tag libogg
 
@@ -84,6 +84,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
        @$(PREBUILD)
        @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
        $(UPDATE_AUTOMAKE)
+       cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/minidlna-1.3.0-fix-DNS-rebinding-issue-CVE-2022-26505.patch
        cd $(DIR_APP) && ./configure --prefix=/usr
        cd $(DIR_APP) && make $(MAKETUNING) $(EXTRA_MAKE)
        cd $(DIR_APP) && make install

diff --git a/src/patches/minidlna-1.3.0-fix-DNS-rebinding-issue-CVE-2022-26505.patch b/src/patches/minidlna-1.3.0-fix-DNS-rebinding-issue-CVE-2022-26505.patch
new file mode 100644 (file)
index 0000000..c284258
--- /dev/null
+++ b/src/patches/minidlna-1.3.0-fix-DNS-rebinding-issue-CVE-2022-26505.patch
@@ -0,0 +1,44 @@
+--- minidlna-1.3.0/upnphttp.c.orig     2020-11-24 19:53:50.000000000 +0100
++++ minidlna-1.3.0/upnphttp.c  2022-04-30 12:59:23.432073807 +0200
+@@ -273,6 +273,11 @@
+                               p = colon + 1;
+                               while(isspace(*p))
+                                       p++;
++                                  n = 0;
++                                  while(p[n] >= ' ')
++                                          n++;
++                                  h->req_Host = p;
++                                  h->req_HostLen = n;                                 
+                               for(n = 0; n < n_lan_addr; n++)
+                               {
+                                       for(i = 0; lan_addr[n].str[i]; i++)
+@@ -909,6 +914,18 @@
+       }
+ 
+       DPRINTF(E_DEBUG, L_HTTP, "HTTP REQUEST: %.*s\n", h->req_buflen, h->req_buf);
++      if(h->req_Host && h->req_HostLen > 0) {
++              const char *ptr = h->req_Host;
++              DPRINTF(E_MAXDEBUG, L_HTTP, "Host: %.*s\n", h->req_HostLen, h->req_Host);
++              for(i = 0; i < h->req_HostLen; i++) {
++                      if(*ptr != ':' && *ptr != '.' && (*ptr > '9' || *ptr < '0')) {
++                              DPRINTF(E_ERROR, L_HTTP, "DNS rebinding attack suspected (Host: %.*s)", h->req_HostLen, h->req_Host);
++                              Send404(h);/* 403 */
++                              return;
++                      }
++                      ptr++;
++              }
++      }       
+       if(strcmp("POST", HttpCommand) == 0)
+       {
+               h->req_command = EPost;
+--- minidlna-1.3.0/upnphttp.h.orig     2020-11-24 19:53:50.000000000 +0100
++++ minidlna-1.3.0/upnphttp.h  2022-04-30 13:00:22.619152312 +0200
+@@ -89,6 +89,8 @@
+       struct client_cache_s * req_client;
+       const char * req_soapAction;
+       int req_soapActionLen;
++      const char * req_Host;        /* Host: header */
++      int req_HostLen;
+       const char * req_Callback;      /* For SUBSCRIBE */
+       int req_CallbackLen;
+       const char * req_NT;